Page 1 of 1

can't find error in user registration script *solved*

Posted: Mon Jun 11, 2007 2:33 pm
by suthie
this is my script:

Code: Select all

<?php

include 'error.php';
include 'dbconnect_silent.php';


$username = $_POST["username"];
$password = $_POST["password"];
$email = $_POST["email"];
$image = "";
$link1 = "";
$link2 = "";
$link3 = "";
$link4 = "";

if ($_POST['username']=='' or $_POST['password']==''
     or $_POST['email']=='') {
       error('One or more required fields were left blank.\\n'.
             'Please fill them in and try again.');
   }

   // Check for existing user with the new id
   $sql = "SELECT COUNT(*) FROM user WHERE username = '$_POST[username]'";
   $result = mysql_query($sql);
   if (!$result) {
       error('A database error occurred in processing your '.
             'submission.\\nIf this error persists, please '.
             'contact you@example.com.');
   }
   if (@mysql_result($result,0,0)>0) {
       error('A user already exists with your chosen userid.\\n'.
             'Please try another.');
   }

//insert the values
$result= "INSERT INTO userdata (userid, username, password, email)".
   "VALUES ('NULL', '$username', '$password', '$email')";
if (mysql_query($result )){
echo "success in data entry!";
} else {
echo "could not insert data".mysql_error();
}
 
?>
each time i put it in, it yields this:
0) { error('A user already exists with your chosen userid.\n'. 'Please try another.'); } //insert the values $result= "INSERT INTO userdata (userid, username, password, email)". "VALUES ('NULL', '$username', '$password', '$email')"; if (mysql_query($result )){ echo "success in data entry!"; } else { echo "could not insert data".mysql_error(); } ?>
i noticed it is just cutting off the last piece of the code and displaying it as text. why is it doing this?

Posted: Mon Jun 11, 2007 3:10 pm
by arukomp
Try removing @ and see if script generates any errors. You should enable all error reporting when debugging a script.

Also, you could use mysql_num_rows() function to see whenever there's registered user with the same username:

Code: Select all

$username = $_POST['username'];
$result = mysql_query("SELECT * FROM user WHERE username = '$username'");
if (mysql_num_rows($result) > 0) {
    // User with this username already exists
}

Posted: Mon Jun 11, 2007 3:12 pm
by feyd
$username needs escaping, at least, too.

Posted: Mon Jun 11, 2007 5:06 pm
by suthie
alright, now im using this:

Code: Select all

<?php

include 'error.php';
include 'dbconnect_silent.php';


$username = $_POST["username"];
$password = $_POST["password"];
$email = $_POST["email"];
$image = "";
$link1 = "";
$link2 = "";
$link3 = "";
$link4 = "";

if ($_POST['username']=='' or $_POST['password']==''
     or $_POST['email']=='') {
       error('One or more required fields were left blank.\\n'.
             'Please fill them in and try again.');
   }

   // Check for existing user with the new id
$result = mysql_query("SELECT * FROM user WHERE username = '$username'");
   if (!$result) {
       error('A database error occurred in processing your '.
             'submission.\\nIf this error persists, please '.
             'contact you@example.com.');
   }
   if (mysql_num_rows($result) != 0) {
       error('A user already exists with your chosen userid.\\n'.
             'Please try another.');
   }

//insert the values
$result= "INSERT INTO userdata (userid, username, password, email)".
   "VALUES ('NULL', '$username', '$password', '$email')";
if (mysql_query($result )){
echo "success in data entry!";
} else {
echo "could not insert data".mysql_error();
}
 
?>
problem solved!

Posted: Mon Jun 11, 2007 5:52 pm
by feyd
Submission data isn't being escaped, ergo you are open to injection attacks. Be careful.